Rapid7 Blog

Weekly Update

POST STATS:

SHARE

Disclosures for SuperMicro IPMI

On the heels of last week's bundle of FOSS disclosures, we've gone a totally different direction this week with a new round of disclosures. Today, we're concentrating on a single vendor which ships firmware for Baseboard Management Controllers (BMCs): Supermicro, and their Supermicro IPMI firmware. You can read up on the details on HD's blog post which covers the five new CVEs.

It's important to stress that the vulnerabilities discussed by HD don't actually have much of anything to do with the IPMI subsystems themselves; rather, the focus was on the web and SSH management interfaces. Because of this, there is plenty of opportunity for attackers to leverage these oft-overlooked network services to gain a foothold in your datacenter, especially if you have permissive or non-existent firewall rules that expose these services to the Internet; by default SuperMicro's IPMI web and SSH interfaces listen on TCP/443 and TCP/22, as you'd expect.

A simple network misconfiguration such as a blanket "allow" rule on these ports, can accidentally expose these guys to the Internet. Experience shows that exposing management interfaces to the Internet is surprisingly common, and a quick peek at the Internet courtesy of Project Sonar shows that there are over 35,000 SUpermicro IPMI interfaces exposed to the world. Yikes.

We're toiling away on putting together some reliable exploits and scanner modules for the vulnerabilities, so keep an eye on the Metasploit Framework Repository for those. And speaking of our open source repo...

Signed Commits for Metasploit Framework

In Metasploit Framework development news, we've started getting serious about cryptographically signing our commits to Metasploit Framework. This was inspired by the most excellent blog post from Mike Gerwitz, A Git Horror Story: Repository Integrity with Signed Commits. At this point, pretty much all merges to Metasploit's master branch are signed with the committer's PGP key, and you can confirm the signatures yourself by this easy and not-so-fun two step process: First, get a hold of all the committer keys, and import them with your command line PGP/GPG application. Next, use the command "git log --show-signature --merges", and amaze at the cryptographic integrity of the most recent merges.

For me, the main reason to do something like this is to add a layer of authenticity to our open source project -- by ensuring that commits to master are signed, even if one of our committers' GitHub account gets totally compromised, the attacker would still need to also compromise the committers' PGP key in order to reasonably impersonate him. For most sensible people (our committers included), that means compromising the local key store, which is a much smaller attack vector than GitHub. GitHub is great -- seriously, it is -- but it's big, popular, and always online (pretty much), so it's an attractive target for both focused attacks and general vandalism.

Now, actually verifying these signatures automatically by end users is another story; sadly, I don't have any advice for you on how to automatically reject and revert unsigned commits. Today, I eyeball it manually, which of course, sucks. We've asked GitHub nicely to provide some kind of indicator on their web UI that a commit is signed, so I'm hopeful that that feature is Coming Soon. If you have any advice for nice signature-verifying git functionality, comment below, por favor!

New Modules

We have two new exploits this week: one for ProcessMaker Open Source by longtime contributor Brendan Coles, and one for Beetel Connecton Manager. The latter is the very first exploit module from our new hire, William Vu, so feel free to pay special attention to this module, and file lots of annoying bugs for him on our Redmine issue tracker. Thanks guys!

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Ninja Update: We have just landed three new auxiliary modules for the Supermicro issues that can help in scanning efforts; they'll be in next week's Metasploit update, but those of you who are following our bleeding-edge source can fetch them from GitHub.